b'Transmittal of FY 2012 Evaluation of EEOC\xc2\x92s Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA)(OIG Report No. 2012-03-FISMA)\nSkip top navigation\nSkip to content\nEspa\xc3\xb1ol | Other Languages\nU.S. Equal EmploymentOpportunity Commission\nHome\nAbout EEOC\nOverview\nThe Commission\nMeetings of the Commission\nOpen Government\nNewsroom\nLaws, Regulations, Guidance & MOUs\nBudget & Performance\nEnforcement & Litigation\nInitiatives\nInteragency Programs\nPublications\nStatistics\nOutreach & Education\nLegislative Affairs\nFOIA & Privacy Act\nDoing Business with EEOC\nJobs & Internships\nEEOC History\nOffice of Inspector General\nEmployees & Applicants\nOverview\nCoverage\nTimeliness\nFiling A Charge\nHow to File\nCharge Handling\nConfidentiality\nMediation\nRemedies\nExisting Charges\nFiling a Lawsuit\nDiscrimination by Type\nAge\nDisability\nEqual Compensation\nGenetic Information\nHarassment\nNational Origin\nPregnancy\nRace/Color\nReligion\nRetaliation\nSex\nSexual Harassment\nProhibited Practices\nEmployers\nOverview\nCoverage\nCharge Handling\nResolving a Charge\nRemedies\nDiscrimination by Type\nAge\nDisability\nEqual Compensation\nGenetic Information\nHarassment\nNational Origin\nPregnancy\nRace/Color\nReligion\nRetaliation\nSex\nSexual Harassment\nProhibited Practices\nRecordkeeping\nEEO Reports/Surveys\n"EEO Is The Law" Poster\nTraining\nOther Employment Issues\nFederal Agencies\nOverview\nFederal Employees & Applicants\nFederal Complaint Process\nDiscrimination by Type\nOther Federal Protections\nProhibited Practices\nFederal EEO Coordination\nFederal Agency EEO Directors\nLaws, Regulations, Guidance & MOUs\nManagement Directives & Federal Sector Guidance\nFederal Sector Alternative Dispute Resolution\nFederal Sector Reports\nAppellate Decisions\nDigest of EEO Law\nForm 462 Reporting\nFederal Training & Outreach\nContact Us\nContact EEOC\nFind Your Nearest Office\nFrequently Asked Questions\nAbout EEOC\nOverview\nThe Commission\nMeetings of the Commission\nOpen Government\nNewsroom\nLaws, Regulations, Guidance & MOUs\nBudget & Performance\nEnforcement & Litigation\nInitiatives\nInteragency Programs\nPublications\nStatistics\nOutreach & Education\nLegislative Affairs\nFOIA & Privacy Act\nDoing Business with EEOC\nJobs & Internships\nEEOC History\nOffice of Inspector General\nHome\xc2\xa0>\xc2\xa0About EEOC\xc2\xa0>\xc2\xa0Office of Inspector General\nNovember 14, 2012\nMEMORANDUM\nTO:\nKimberly Hancher, Director\nOffice of Information Technology\nFROM:\nMilton A. Mayo, Jr\nInspector General\nSUBJECT:\nTransmittal of FY 2012 Evaluation of EEOC\'s Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA)(OIG Report No. 2012-03-FISMA)\nThe Office of Inspector General contracted with the Certified Public Accounting firm Clifton Larson Allen LLP, formerly known as Clifton Gunderson LLP, to conduct an independent evaluation of EEOC\'s information security program and practices as\nrequired by the FISMA, and to comply with the Office of Management and Budget\'s (OMB) reporting requirements for Inspectors General.\nAttached is the FY 2012 Evaluation of EEOC\'s Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA) report prepared by Clifton Gunderson (CG).\xc2\xa0 CG notes in its report that the EEOC has made positive\nstrides over the last year in addressing information security weaknesses, however improvements are needed in the following areas: Maintaining Documentation for Network Access Requests/Approvals, Implementing Multi-Factor Authentication, Maintaining\nDocumentation of Acceptance and Understanding of information Security Responsibilities, and Maintaining Incidence Response Policy to Reflect All US-CERT Categorization Types. Management\'s comments are included in the report. Also, the status of\nprior year FISMA findings is included as Appendix A of the report.\nThe Office of Management and Budget issued Circular Number A-50, Audit Follow Up, to ensure that corrective action on audit findings and recommendations proceed as rapidly as possible. EEOC Order 192.002, Audit Follow up Program, implements\nCircular Number A-50 and requires that for resolved recommendations, a corrective action work plan should be submitted within 30 days of the final evaluation report date describing specific tasks and completion dates necessary to implement audit\nrecommendations. Circular Number A-50 requires prompt resolution and corrective action on audit recommendations. Resolutions should be made within six months of final report issuance.\nIf you have any questions, please feel free to contact Mr. Willie Eggleston, Senior Auditor, at extension 4372.\xc2\xa0 We appreciate your assistance.\ncc: Pierette McIntire\nEvaluation of Equal Employment Opportunity Commission\'s (EEOC) Compliance with Provisions of the Federal Information Security Management Act of 2002\nFiscal Year 2012\nFinal Report\nTABLE OF CONTENTS\nExecutive Summary\nBackground\nAudit Objective\nScope\nTesting Methodology\nFindings and Recommendations\nAppendix A: Status of Prior Year (FY2011) Findings\nExecutive Summary\nThe EEOC Office of Inspector General (OIG) contracted with CliftonLarsonAllen LLP (CLA) to conduct an audit of EEOC\' compliance with the provisions of the Federal Information Security Management Act of 2002 for Fiscal Year (FY) 2012. The Federal\nInformation Security Management Act of 2002 (FISMA) requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the\noperations and assets of the agency, including those provided or managed by another agency, contractor, or other source.\nThe audit meets the FISMA requirement for an annual evaluation of EEOC\' information security program. The overall objective of this audit was to determine if EEOC\' information security program met the requirements of the Federal Information\nSecurity Management Act of 2002. Specifically, we performed audit work associated with the FISMA Office of Management and Budget (OMB) annual reporting requirements for OIGs and completed a review of six EEOC information systems: The EEOC Network,\nEEO-1 Survey System, Document Management System (DMS), Integrated Mission System (IMS), Financial Cloud Solutions (FCS), and Federal Personnel and Payroll System (FPPS). In addition, four Notice of Finding and Recommendations (NFRs) were submitted\nto EEOC management to include findings from both the system reviews and component level review.\nThe audit concluded that EEOC met most, but not all, of the key requirements of FISMA. The Agency has made positive strides over the last year in addressing information security weaknesses and continues to make progress in becoming fully\ncompliant with FISMA. However, EEOC still faces challenges to refine its information security program. These challenges involve:\nMaintaining documentation for network access requests/approvals. (See page 6)\nImplementing multi-factor authentication. (See page 7)\nMaintaining documentation of acceptance and understanding of information security responsibilities. (See page 8)\nRevising the incident response policy to reflect all US-CERT categorization types (See page 9)\nConsequently, EEOC\' operations and assets may be at risk of misuse and disruption. The report contains four recommendations to help EEOC improve its information security program and practices.\nThis report is intended solely for the information and use of the management of EEOC and OIG and is not intended to be and should not be used by anyone other than these specified parties.\nBackground\nOrganization\nThe U.S. Equal Employment Opportunity Commission (EEOC) is responsible for enforcing federal laws that make it illegal to discriminate against a job applicant or an employee because of the person\'s race, color, religion, sex (including\npregnancy), national origin, age (40 or older), disability or genetic information. It is also illegal to discriminate against a person because the person complained about discrimination, filed a charge of discrimination, or participated in an\nemployment discrimination investigation or lawsuit. The EEOC has the authority to investigate charges of discrimination against employers who are covered by the law.\nThe EEOC is composed of five Commissioners and a General Counsel appointed by the President and confirmed by the Senate. Commissioners are appointed for five-year staggered terms; the General Counsel\'s term is four years. The President designates\na Chair and a Vice Chair. The Chair is the Chief Executive Officer of the EEOC.\nThe EEOC has 53 field offices, and has its headquarters in Washington, D.C. Additional information about EEOC may be found at http://www.eeoc.gov.\nFederal Information Security Management Act\nThe Federal Information Security Management Act of 2002 (FISMA) was enacted into law as Title III of the E-Government Act (E-Gov) of 2002 (P.L. 107-347, December 17, 2002). Key requirements of FISMA include:\nThe establishment of an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another\nagency, contractor, or other source.\nAn annual independent evaluation of the agency\'s information security programs and practices; and\nAn assessment of compliance with the requirements of the Act.\nFISMA requires agency heads to ensure that (1) employees are sufficiently trained in their security responsibilities, (2) security incident response capability is established, and (3) information security management is integrated with the agency\nstrategic and operation planning processes. All agencies must also report annually to the Office of Management and Budget (OMB) and Congressional committees on the effectiveness of their information security program. In addition, FISMA has\nestablished that the standards and guidelines issued by the National Institute of Standards and Technology (NIST) are mandatory for Federal agencies.\nAudit Objective\nA key requirement of the Federal Information Security Management Act of 2002 is an annual independent evaluation of the Agency\'s information security program. As a result, CLA was contracted by EEOC OIG to review the Agency\'s information security\nprogram and practices as set forth by the Federal Information Security Management Act of 2002 for FY 2012. The work performed under this engagement involved a review of the effectiveness of the Agency\'s Office of Information Technology (OIT)\noversight of the Agency\'s information security program and evaluation of six EEOC information systems: The EEOC Network, EEO-1 Survey System, Document Management System, Integrated Mission System, Financial Cloud Solutions, and Federal Personnel and\nPayroll System.\nIn addition, we were required to complete the FY 2012 OMB FISMA Reporting Template included as an annual reporting requirement for OIGs.\nScope\nCLA performed the audit in support of the EEOC OIG\'s FISMA reporting requirements. The period covered by this audit ended September 30, 2012. We conducted the audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective.\nThe purpose of the audit was to determine if EEOC\' information security program met the requirements of FISMA. In assessing, EEOC\' adherence to FISMA, we conducted component level and system level testing to support FISMA compliance. In\nconducting our review of the Agency\'s Office of the CIO\'s oversight over EEOC\' information security program and practices, the following areas were reviewed:\nOrganizational responsibilities and authority\nInformation security policies and procedures\nSystem security plans\nRisk Assessments\nContinuity of operations plan\nSecurity incident reporting\nSecurity Awareness, Training, and Education\nCertification and accreditation process\nRemedial action process (plan of action and milestones)\nSystem Configuration Management\nAnnual information security program reporting\nIn regards to the system level testing, CLA in conjunction with the EEOC OIG selected the EEOC Network, EEO-1 Survey System, Document Management System, Integrated Mission System, Financial Cloud Solutions, and Federal Personnel and Payroll\nSystem to evaluate as part of the scope of work. The audit included the testing of selected management, technical, and operational controls of the information systems outlined in National Institute of Standards and Technology (NIST) Special\nPublication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems. The following NIST Special Publication 800-53 Controls were reviewed for the EEOC Network, EEO-1 Survey System, Document Management System,\nIntegrated Mission System, Financial Cloud Solutions, and Federal Personnel and Payroll System.\nAccess Controls\nAudit and Accountability\nCertification, Accreditation and Security Assessments\nConfiguration Management\nContingency Planning\nIdentification and Authentication\nMaintenance\nSecurity Planning\nRisk Assessment\nSystem and Service Acquisition\nSystem and Communications Protection\nSystem and Information Integrity\nIn addition, we completed a follow-up review of prior year FISMA findings and recommendations to determine if EEOC had made progress on implementing the recommended improvements in its information security program.\nFour NFRs were submitted to EEOC management to include findings from both the system reviews and component level review.\nAt the time of the audit, EEOC operated the following information systems:\nEEOC Network (General Support System)\nMajor Applications\nEEO-1 Survey System\nDocument Management System (DMS)\nIntegrated Mission System (IMS)\nFinancial Cloud Solutions (owned by another Federal Agency)\nThis report is intended solely for the information and use of the management of EEOC and the EEOC OIG and is not intended to be and should not be used by anyone other than these specified parties.\nTesting Methodology\nTo determine if EEOC\' information security program met the requirements of FISMA, we conducted interviews with EEOC staff members and reviewed legal and regulatory requirements stipulated by FISMA. We also reviewed documentation related to EEOC\'\ninformation security program. These documents included, but were not limited to, EEOC\' security policies and procedures, plan of action and milestones, system security plans, risk assessments, certification and accreditation documentation,\ncontingency plans, and incident reporting procedures. In addition, we performed tests of system processes to determine the adequacy and effectiveness of those controls.\nWe also evaluated available data supporting EEOC annual FISMA report to OMB on its information system security program.\nFindings and Recommendations\nEEOC has achieved progress towards FISMA compliance over the last year. Specifically, EEOC has implemented the following FISMA requirements:\nThe Agency has strengthened its vulnerability scanning and patch remediation program and procedures.\nUpdated their business impact analysis (BIA) so it accurately maps to disaster recover testing results.\nImplemented a revalidation and review process to remove and disable unneeded virtual private network accounts.\nAlthough, EEOC has made improvements in its information security program, the agency still faces challenges to refine its information security program. These challenges involve:\nMaintaining documentation for network access requests/approvals. (See page 6)\nImplementing multi-factor authentication (See page 7)\nMaintaining documentation of acceptance and understanding of information security responsibilities (See page 8)\nMaintaining the incident response policy to reflect all US-CERT categorization types (See page 9)\nThese findings are further discussed below.\nAccess Control/Identification and Authentication\nNetwork access request forms were not adequately maintained. (NFR Reference # 2012 - 1)\nAccess request forms which document request and approval for network access were not provided for two out of twenty-five individuals sampled.\nIn addition, Integrated Mission System (IMS) access request forms were not provided for six of ten individuals sampled.\nWithout an appropriate access request form, excessive access to agency information may be provided and sensitive information could be compromised.\nNational Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control AC-2, states the following regarding account\nmanagement, "The organization manages information system accounts, including: Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); Establishing conditions for group membership;\nIdentifying authorized users of the information system and specifying access privileges; Requiring appropriate approvals for requests to establish accounts; Establishing, activating, modifying, disabling, and removing accounts; Specifically\nauthorizing and monitoring the use of guest/anonymous and temporary accounts; Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or\nneed-to know/ need-to-share changes; Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users; Granting access to the system based on: (i) a valid access authorization; (ii) intended\nsystem usage; and (iii) other attributes as required by the organization or associated missions/business functions; and Reviewing accounts.\nRecommendation:\nRecommendation No.1: We recommend that EEOC implement a centralized repository to maintain control of access request forms.\nManagement Response:\nManagement indicated concurrence with this finding.\nAdditionally stating "Network access forms - EEOC would like to note that we do have a centralized repository for maintaining network user access forms. We concur with the 92% compliance finding for retrieval of network access forms in FY 2012\nand are encouraged that this area shows progress over the 77% compliance rate finding in FY 2011. OIT expects that this rate will remain at the >90% level until we can move away from manual processes and implement more automated\non-boarding/account creation practices. In the interim, EEOC accepts the >90% rate as an acceptable level of compliance risk.\nIMS - OIT will conduct a recertification of all IMS users in the first quarter of FY 2013 and will review and update policies related to preservation of account authorization forms. Remediation dates will be determined and included in the system\nPOA&M."\nAuditor\'s Evaluation of Management\'s Response:\nManagement agrees with the condition of the missing access request forms. CLA\'s recommendation on a centralized repository was based upon management\'s need to obtain and request access request forms for several individuals from various field\noffices since not available at headquarters. We agree that a more automated on-boarding/account creation practices would assist in mitigating the risk of lost forms under current manual processes.\nEffective implementation of actions noted in management\'s response for IMS users should resolve the reported condition and recommendation.\nEEOC did not fully implement multi-factor authentication (NFR Reference # 2012 - 3)\nThrough inquiry with management and review of the Data Net System Security Plan, EEOC has not fully implemented multi-factor authentication for remote access through Virtual Private Network (VPN), as well as for network and local accounts.\nAlthough an Acceptance of Risk was provided for new imaged laptops, legacy laptops use a common password as part of their two-factor authentication.\nWithout a fully implemented multi-factor authentication process, this increases the risk of unauthorized access attempts.\nNational Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control IA-2, states the following regarding identification and\nauthentication, "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). And applicable control enhancements: "(1) The information system uses\nmultifactor authentication for network access to privileged accounts. (2) The information system uses multifactor authentication for network access to non-privileged accounts. (3) The information system uses multifactor authentication for local\naccess to privileged accounts. (8) The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts."\nRecommendation:\nRecommendation No.2: We recommend that EEOC implement multifactor authentication for network access to non-privileged and privileged accounts.\nManagement Response:\nManagement indicated concurrence with this finding.\nAdditionally stating "EEOC continues to acknowledge that we have not implemented multifactor authentication for network access. This project is dependent on full (>80%) implementation of HSPD-12 PIV cards to all EEOC users as well as funding\nto deploy the logical access requirements. EEOC has a risk acceptance on file, signed by the CIO, for this vulnerability."\nAuditor\'s Evaluation of Management\'s Response:\nEEOC agrees that they have not implemented multifactor authentication for network access. Although the compensating controls described within the risk waiver rely upon data encryption and utilities to detect and mitigate malicious activity, versus\nan additional strengthening of existing user authentication controls to mitigate for the lack of multifactor authentication.\nEffective implementation of actions noted in management\'s response should resolve the reported condition and recommendation.\nPlanning\nDocumented acceptance and understanding of information security responsibilities were not adequately maintained (NFR Reference # 2012- 2)\nDocumented acceptance and understanding of information security responsibilities were not available for 12 (48%) out of 25 individuals hired during FY 2012.\nIf acknowledgment of security responsibilities is not documented, users may be unaware of potential risks and their responsibilities in the use of EEOC information systems.\nEEOC Order 240.005 states the following, "The Chief Human Capital officer is responsible for: Assuring that all new employees, as part of their orientation package, receive and sign an acknowledgment of receipt of "Information\nSecurity Responsibilities of EEOC System Users" (Appendix A)."\nNational Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control PL-4, states the following regarding rules of\nbehavior, "The organization establishes and makes readily available to all information system users, a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage.\nThe organization receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information."\nRecommendation:\nRecommendation No.3: We recommend that EEOC management ensure that all network users have read and signed acknowledgment of receipt of Information Security Responsibilities of EEOC System Users and that forms are managed in a centralized\nlocation.\nManagement Response:\nManagement indicated concurrence with this finding.\nAdditionally stating "OIT would like to clarify that this finding specifically relates to interns/volunteers, not "New Hires" which implies a newly hired employee. EEOC "new hires" go through a formal on-boarding process in both Headquarters and\nthe Field which includes the review and signature of the Information Security Responsibilities document (which is then stored with their personnel file). All 12 individuals who were identified as not having evidence of acknowledgement were interns,\nvolunteers, or temps - some of which may not go through the formal new-hire process.\nTo mitigate risk of users not remembering or not previously acknowledging the Security Responsibilities document, in July 2012, EEOC conducted an on-line review and acceptance of the "EEOC Network/Desktop Rules of Behavior" and the "Information\nSecurity Responsibilities of EEOC System Users" for all system users - with the user\'s acknowledgement stored in a centralized location. Therefore, all system users on-board during this timeframe acknowledged their responsibilities. In addition, in\nAugust 2012, we conducted the annual Security Awareness Training which is mandatory for all system users.\nOIT acknowledges that these annual certification measures may miss some of the interns, volunteers, and temporary staff that are only on-board for a few weeks or months. Therefore, we will develop plans and procedures to better ensure that the\nRules are acknowledged within a specified period of time of network account creation. Timelines related to this remediation will be documented in the system POA&M. "\nAuditor\'s Evaluation of Management\'s Response:\nEffective implementation of actions noted in management\'s response (last paragraph) should resolve the reported condition and recommendation.\nIncident Response\nThe Incident Response Policy is incomplete. (NFR Reference # 2012 - 4)\nEEOC\'s incident response policy (V1.4) only reflects 4 of 6 current incident categorization types, prescribed by the United States Computer Emergency Response Team (US-CERT).\nWithout the inclusion of all 6 severity ratings, EEOC increases the risk of not notifying proper officials about the incident in a timely manner so that action can be taken to avoid and minimize the compromised information system and data.\nNIST SP800-61, Rev. 2 Incident Response to Computer Security Events Section 2.3.1 "Policy Elements" states:\nPolicy governing incident response is highly individualized to the organization. However, most policies include the same key elements:\nStatement of management commitment\nPurpose and objectives of the policy\nScope of the policy (to whom and what it applies and under what circumstances)\nDefinition of computer security incidents and related terms\nOrganizational structure and definition of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements\nfor reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident\nmanagement process\nPrioritization or severity ratings of incidents\nPerformance measures (as discussed in Section 3.4.2)\nReporting and contact forms.\nRecommendation:\nRecommendation No. 4: We recommend that EEOC management revise the agency\'s policy to correctly reflect the entire severity rating list published by US-CERT.\nManagement Response:\nManagement indicated concurrence with this finding.\nAdditionally stating "OIT had purposefully documented four categories in our Incident Response Policy, as Category 6 is not applicable to reporting and Category 5 was incorporated into our Category 3. However, we have updated the policy and\nrelated log sheets to reflect the full six categories, based on the auditor\'s recommendation. These updated documents were provided to the auditor on 10/19/12."\nAuditor\'s Evaluation of Management\'s Response:\nEffective implementation of actions noted in management\'s response should resolve the reported condition and recommendation.\nAppendix A: Status of Prior Year (FY2011) Findings\nItem #\nFinding\nDescription\nControl Family\nCurrent Year Status\nComments\n1\nEEOC has not fully implemented multifactor authentication for remote access.\nThrough inquiry with management and review of the Data Net System Security Plan, EEOC has not fully implemented multi-factor authentication for remote access through Virtual Private\nNetwork (VPN), as well as for network and local accounts. Although an Acceptance of Risk was provided for new imaged laptops, legacy laptops use a common password as part of their twofactor authentication.\nAccess Control\nOpen\nMultifactor authentication for remote access is still not fully implemented.\nNFR # 2012 - 03\n2\nThe agency-wide Business Impact Analysis (BIA) has not been updated.\nThrough inquiry with the EEOC Chief Security Officer, the EEOC agency-wide Business Impact\nAnalysis (BIA) has not been updated since 2002 to reflect the current system environment and to address the weaknesses identified during subsequent disaster recovery tests.\nContingency Planning\nClosed\nThe Business Impact Analysis (BIA) was updated.\n3\nVulnerability scanning conrol weaknesses were identified.\nThrough inquiry with management and performance of an external network vulnerability assessment, we noted the following control weaknesses:\nEEOC Management did not apply version releases promptly (1 critical and 5 high vulnerabilities were found) to critical network devices.\nCredentialed network vulnerability scanning is not being performed.\nConfiguration Management\nClosed\nVersion releases were applied promptly and credentialed network vulnerability scanning has occurred.\n4\nExcessive Virtual Private network (VPN) accounts were discovered.\nThrough testing of active VPN accounts, CLA discovered 1 employee as separated but still remained on the enabled VPN list.\nAccount and Identity Management\nClosed.\nThrough FY2012 testing of active VPN accounts, there were no active separated individuals.\n5\nAccess request forms could not be provided for all employees sampled.\nAccess request forms which document request and approval for network access could not be provided for seven out of thirty employees sampled.\nIdentity and Access Management\nOpen\nAccess request forms which document request and approval for network access were not provided for two out of twenty-five individuals sampled.\n(See NFR # 2012 - 01)\nPrivacy Policy | Disclaimer | USA.Gov'